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EXECUTIVE SUMMARY 


Protecting the United States’ cyber networks, one of its key critical infrastructures, is vital to 
ensuring the security of the U.S. homeland. Government and industry have made steady efforts 
to heighten awareness and take action against cyber crimes, and these efforts are likely to 
continue. The President’s National Security Telecommunications Advisory Committee’s 
(NSTAC) Legislative and Regulatory Task Force (LRTF) was tasked with identifying existing 
legal penalties for prosecuting those committing intentional and malicious attacks on the 
Internet. It then made recommendations about whether current penalties should be strengthened 
and/or whether additional penalties were needed. This report represents the NSTAC’s 
recommendations regarding cyber crime laws. 

The Computer Fraud and Abuse Act, 18 United States Code, Section 1030, is the primary statute 
for prosecuting cyber crimes. It established penalties for creating computer viruses and 
conducting malicious Internet attacks, among other provisions. The 107th Congress passed two 
laws that modified the Computer Fraud and Abuse Act: the USA PATRIOT Act and the 
Homeland Security Act. These new laws increased existing cyber crime penalties, made it easier 
to prosecute cyber crimes, and called for a review, and an amendment if necessary, of sentencing 
guidelines for cyber crimes. 

During its deliberations, the LRTF recognized that many of the current cyber crime penalties had 
been either recently implemented or modified, making it difficult to assess their effectiveness 
over time. After reviewing current penalties and receiving input from industry and Government 
experts, the LRTF concluded that existing Federal penalties were adequate for prosecuting cyber 
crimes. Because it considered current domestic penalties to be sufficient, the LRTF proposed a 
series of recommendations and suggestions to encourage a well-rounded and proactive approach 
to preventing and responding to cyber crimes. 

The NSTAC recommends that the President, in accordance with responsibilities and existing 
mechanisms established by Executive Order 12472, Assignment of National Security and 
Emergency Preparedness Telecommunications Functions and other existing authority, direct the 
appropriate departments and agencies, in coordination with industry, to: 

• Increase prosecution of cyber crime at the State level; 

• Allot additional funds to the States to better train personnel in their jurisdictions on how 
to prosecute cyber crimes, respond to attacks, and address vulnerabilities; 

• Encourage Congress to ratify the Council of Europe (COE) Convention on Cybercrime, 
in conjunction with implementing legislation that provides, among other provisions, for 
reimbursement of reasonable costs incurred by communications service providers 
responding to data preservation requests, and encourage other nations to adopt the 
Convention; 
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• Work with international counterparts and through multilateral bodies, such as the G-8, 
COE, European Union (EU), Organization of American States (OAS), and the Asia- 
Pacific Economic Cooperation (APEC) to: 

■ Urge other nations to enact substantive and procedural laws implementing the 
provisions of the COE Convention on Cybercrime or provisions that are at least as 
comprehensive and that are consistent, wherever possible, with comparable 
provisions in U.S. law; 

■ Encourage other nations to adopt data preservation provisions of the sort set forth 
in the COE Convention, rather than data retention laws, which require retention ex 
ante of data regarding all communications on a network; 

■ Encourage countries to dedicate well-trained and well-equipped personnel to 
combat cyber crime and designate a 24-hour point of contact on such matters for 
urgent cross-border investigations; and 

■ Encourage better cooperation among nations for locating and identifying cyber¬ 
criminals, gathering evidence to bring them to justice, and implementing 
procedures to more rapidly and effectively prevent and mitigate cyber attacks. 

• Encourage companies to implement cyber security best practices by considering the 
implementation of relevant best practices as a factor in the awarding of Government 
information technology (IT) contracts. 

The NSTAC makes additional suggestions for industry and Government to pursue in order to 
protect the United States against cyber attacks. These suggestions include coordinating the 
launch of a nationwide education campaign to increase public awareness of the penalties and 
consequences for committing Internet attacks. Telecommunications service providers and 
infrastructure operators should also be encouraged to enter into non-disclosure agreements 
(NDA) that set a fixed amount of time for mitigating network incidents and vulnerabilities. With 
sufficient Eederal penalties in place to prosecute cyber crime, and additional actions that provide 
a more well-rounded and proactive approach to fighting cyber crime, the United States can better 
protect its critical cyber networks from attacks and enhance its national security and homeland 
defense. 
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1.0 INTRODUCTION AND CHARGE 


To ensure the security of its homeland, the United States must protect its critical infrastructures. 
One of the country’s most vital infrastructures is its cyber network, which enables the operation 
of key commercial and Government systems that deliver national security and emergency 
preparedness (NS/EP) communications services. Attacks on the cyber network are steadily 
increasing and continue to pose a dangerous threat to the U.S. economy and security. Industry 
sources estimate that in 2001, cyber attacks resulting from malicious code may have caused 
approximately $13 billion in damages.^ 

Industry and Government have made steady efforts to heighten awareness and take action against 
cyber crimes. Following the terrorist attacks of September 11, 2001, added attention was given 
to protecting cyber space, especially from terrorists who might use network attacks to cause 
widespread damage and outages. In addition, severe Internet attacks such as “NIMDA” and 
“Code Red” have raised public awareness about the potential damage that cyber attacks can 
inflict and, in response, many Americans have taken steps to protect their home computer 
systems. While industry has made progress in securing their networks, company officials say 
their efforts are sometimes hampered because it is difficult to gauge the financial benefits of 
making substantial, and hence costly, security upgrades. 

On September 18, 2002, the President’s Critical Infrastructure Protection (CIP) Board published 
a draft National Strategy to Secure Cyberspace. The draft strategy provides security 
recommendations for a wide range of Internet users—from small businesses and home users to 
large enterprises and the Federal Government. The CIP Board plans to update the strategy 
periodically with input from various groups. In addition, efforts to protect cyber space will 
likely be a priority at the direction of the new Department of Homeland Security. 

As industry. Government, and home users place more of an emphasis on protecting cyber space, 
it is important to review current legal penalties with regard to cyber crimes, especially those 
directed at the Nation’s NS/EP community. Assessing the effectiveness of the current legal 
foundation can help policymakers decide whether additional legislation is needed to strengthen 
the penalties and further secure U.S. cyber assets and the delivery of NS/EP communications. 

1.1 Background 


During the President’s National Security Telecommunications Advisory Committee (NSTAC) 
XXV Business Session, the Honorable Richard A. Clarke, Special Advisor to the President for 
Cyberspace Security and Chairman of the CIP Board, discussed the challenges to Internet 
security and the serious nature of the threats posed by vulnerabilities within two critical 
components of the Internet infrastructure—Domain Name Servers (DNS) and the Border 
Gateway Protocol (BGP). Hackers could exploit such vulnerabilities to create widespread 
distributed denial of service attacks because Internet protocol (IP) communications occur via 
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in-band systems. Mr. Clarke urged the NSTAC to examine these vulnerabilities in the Internet 
arehiteeture. This request led to a discussion about whether to strengthen legislation related to 
intentional and malicious damage to the Internet and public and private infrastructures/assets 
through the Internet. 

The Internet Security/Architecture Scoping Group initially addressed Mr. Clarke’s request. It 
recommended that the NSTAC’s Industry Executive Subcommittee (lES) task the Legislative 
and Regulatory Task Force (LRTF) to provide recommendations identifying the existing legal 
penalties for those committing intentional and malicious attacks on the Internet and to determine 
whether they should be strengthened and/or if additional penalties were needed. This report 
presents the LRTF’s response to those issues. 

1.2 Approach 


LRTF members, subject matter experts from their respective companies, and Government 
participants contributed to this effort. Appendix A provides a list of task force members. 
Government personnel, and other participants. The LRTF also received briefings from officials 
from the Department of Justice (DoJ) and WorldCom/UUNET on cyber crime laws and 
computer hacking issues. 

1.3 Scope of Study 


The LRTF’s jurisdiction in this tasking is to identify the existing legal penalties for those 
committing intentional and malicious attacks on the Internet and recommend whether there 
should be additional penalties and/or whether existing penalties should be strengthened. The 
LRTF has addressed this specific tasking. In addition, it has offered recommendations that it 
believes propose a more proactive and preventative approach to deterring cyber crime. Though 
some of these recommendations may not be consistent with the LRTF’s original tasking, the 
LRTF believes they may be valuable for preventing cyber crime overall. They also may be 
useful if NSTAC revisits the cyber crime prevention subject in the future. Because some of the 
recommendations could be deemed outside of the NSTAC’s scope, other Government bodies, 
such as the Network Reliability and Interoperability Council (NRIC), might also be more 
suitable for addressing them. 
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2.0 PENALTIES FOR CYBER CRIME 


2.1 Overview of the Legal, Regulatory, and Legislative Environment 


The primary statute for prosecuting computer and cyber crimes is Section 1030 of the Computer 
Fraud and Abuse Act, 18 United States Code, Section 1030. The section sets penalties for 
creating computer viruses and conducting malicious Internet attacks, among other provisions. 

The 107th Congress approved numerous proposals for improving cyber security, including 
legislation to increase penalties for committing computer crime and to allocate more money for 
cyber security research and development. Two new laws designed to bolster national security 
and homeland defense include language to strengthen the Computer Fraud and Abuse Act’s 
cyber crime penalties: the USA PATRIOT Act, which was enacted in October 2001, and the 
Homeland Security Act, which was signed into law in November 2002. 

An official from the DoJ explained that prior to enactment of the USA PATRIOT Act, the 
Computer Fraud and Abuse Act defined punishable computer “damage” as a loss of at least 
$5,000 in value during any 1-year period to one or more individuals. The Justice official 
explained that the Computer Fraud and Abuse Act, as amended by the USA PATRIOT Act, 
permits losses to several computers from a hacker’s course of conduct to be aggregated in order 
to meet the $5,000 jurisdictional threshold. The USA PATRIOT Act also amended the 
Computer Fraud and Abuse Act to include a new offense for damaging computers used for 
national security or criminal justice purposes and increased penalties for hackers who damage 
such protected computers to as much as 20 years imprisonment for a repeat offense. 

The Homeland Security Act amended the Computer Fraud and Abuse Act to authorize life 
sentences for individuals who knowingly or recklessly commit a computer crime that results in 
death and 20-year sentences for individuals who knowingly or recklessly commit a computer 
crime that results in serious bodily injury. The act also directed the United States Sentencing 
Commission to review its sentencing guidelines for cyber crime and, if appropriate, amend the 
guidelines to ensure their effectiveness. 

2.2 Evaluating the Need for New Penalties 


To gain a strong grasp of the current legal environment for prosecuting cyber crimes, the LRTF 
focused its analysis on the legal statutes that prescribe penalties for cyber abuses. It examined 
the implementation of key provisions in the Computer Fraud and Abuse Act, as well as other 
cyber crime laws. In addition, the LRTF reviewed new cyber crime laws, focusing on their 
changes to current penalties. For a complete summary of Federal cyber crime penalties and 
recent updates to the law, please see Appendix B. 
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During its deliberations, the LRTF recognized that many of the current cyber crime penalties and 
provisions had been either recently implemented or modified. It also acknowledged that recent 
modifications to the cyber crime laws substantially increased penalties, which would greatly 
improve the ability to punish for and deter cyber crimes. After assessing the most recent 
penalties and receiving input from industry and Government experts, the LRTF concluded that 
the recently modified Federal penalties were adequate for prosecuting Internet attacks because 
the existing penalties are very strong. 

2.3 Additional Findings 


The LRTF agreed to report to the IBS that sufficient Federal penalties exist to prosecute 
intentional and malicious attacks on the Internet. Additionally, the LRTF acknowledged that its 
tasking to address cyber crime penalties was narrow in scope. It recognized that taking certain 
actions, in addition to having sufficient Federal penalties, would offer a more well-rounded, 
proactive, and preventative approach to deterring cyber crime. 

2.3.1 State Law 


The LRTF acknowledged the importance of having sufficient legal penalties in place not only at 
the Federal level but also at the State level. State penalties for cyber crimes should be consistent 
with Federal penalties and must be strong enough to make the threat of State prosecution deter 
cyber crime throughout the Nation. In addition. States should have the necessary resources to 
train their personnel on how to address network vulnerabilities and respond effectively to cyber 
attacks. States should also better educate the appropriate local officials on how to prosecute 
cyber crimes in their jurisdictions. Having sufficient penalties in place at the State level and 
having citizens who know how to mitigate and respond to attacks will help secure the Nation’s 
cyber infrastructure. 

2.3.2 International Law 


The vast majority of Internet attacks have an international component, making prosecutions of 
cyber crimes difficult because they often fall within the jurisdiction of other countries. While the 
LRTF believes that existing Federal laws are sufficient for prosecuting domestic cyber crimes, 
these laws are ineffective for prosecuting attacks that are generated outside of the United States. 
Therefore, having positive diplomatic relations with other countries is critical to U.S. cyber 
crime efforts, as the nature of the relationship often determines the level of cooperation for 
prosecuting a foreign hacker. 

There are four major areas of importance to the United States when working with other nations 
on cyber crime. First, other nations should implement strong anti-hacking laws to make it easier 
to prosecute criminals. Strong procedural laws in other countries also facilitate the retrieval of 
evidential information for cyber crime investigations. Second, countries should have dedicated 
computer crime personnel who are well trained, well equipped, and available around-the-clock to 
respond to cyber incidents. It is beneficial if these personnel are able to identify the sources of 
the Internet attacks and capture data immediately. Third, it is important to have a mechanism for 
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locating and identifying the souree of an attaek that originates from abroad and preserving that 
evidenee. Finally, it is important to be able to effeetively gather evidenee from other nations to 
enable proseeution for an attaek with an international eomponent. Performing eomputer 
forensies, sueh as authentieating digital pietures and e-mails, would help in the proseeution of 
eyber eriminals. Presently, it is diffieult to gather sueh evidenee from abroad and to seeure 
eitizens from other eountries to testify against eyber eriminals beeause of the distanees they need 
to travel to do so. Ideally, it would be benefieial to eonduet investigations abroad as they are 
eondueted in the United States. 

In addition, the disparate approaehes to the way eomputer data is handled overseas eontinues to 
hamper U.S. eyber erime investigations. Some nations mandate the retention of data for a set 
period of time, sueh as 90 days. Data retention laws require retention ex ante of data regarding 
all eommunieations on a network. Other eountries prefer to provide for preservation of data onee 
an investigation has begun or restriet its transfer aeross national boundaries.^ Some nations also 
require eompanies to destroy eertain data after a period of time. Data destruetion is eommon in 
some European Union (EU) member states, partieularly in those that plaee a high premium on 
proteeting the privaey of personal data. This laek of eonsisteney among international data laws 
often makes it diffieult for the United States to gather eyber erime evidenee. Eneouraging other 
nations, partieularly the EU member states, to eliminate data destruetion requirements and to 
adopt stronger and more eonsistent data preservation laws—instead of data retention laws— 
would ereate greater legal eonsisteney at an international level and would be helpful to U.S. 
efforts. Communieations serviee providers generally aeeept the need for law enforeement to 
request that data assoeiated with speeifie aeeounts or eommunieations be preserved, but these 
providers should reeeive reimbursement for eomplying with these requests. 

There are several international bodies with whieh the U.S. ean eooperate to gain support for 
international eyber erime initiatives. The G-8 is eonsidered the most effeetive body for 
eooperating on eyber erime efforts. Despite having only eight members, the G-8’s foeus on 
fighting eyber erime and the frequeney of meetings among the Heads of State have assisted the 
U.S.’ international eyber erime initiatives. In addition, the Couneil of Europe (COE) eonsists of 
43 eountries and is designed to faeilitate international eooperation. On November 23, 2001, the 
COE adopted its Convention on Cybercrime (ETS no. 185). The Convention is the first 
international treaty on eyber erimes with the goal of pursuing a eommon eriminal poliey to 
proteet soeiety against eyber erimes. It seeks to aehieve this goal by harmonizing domestie 
eriminal substantive and proeedural laws for gathering evidenee and proseeuting eyber erimes 
and by establishing a regime for international eooperation. It also eneourages a poliey of data 
preservation. Several nations, ineluding the United States, have signed the treaty. However, the 
United States and several other eountries have not ratified the treaty. In that the United States 
signed the COE Convention on Cybercrime on November 23, 2001, the NSTAC reeommends the 


^ The G-8 has defined data preservation as when: (a) upon lawful request by a competent authority, (b) based on the facts of a 
specific case, (c) specific historical data can be preserved to prevent its deletion, (d) pending issuance of a lawful demand from a 
competent. According to the G-8 definition, “preservation” does not include the prospective collection of data and does not 
obligate a service provider to generate data that it does not routinely require for lawful business practice. 
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Administration urge Congress to ratify the treaty at the earliest praetical date.^ In addition, 
Congress should ratify the treaty in conjunetion with implementing legislation that provides, 
among other provisions, for reimbursement of reasonable eosts incurred by communications 
service providers responding to data preservation requests. 

Federal agencies should also work with international counterparts and through multilateral 
bodies, such as the G-8, COE, EU, Organization of American States (OAS), and the Asia-Pacific 
Economic Cooperation (APEC) to encourage other nations to effectively address cyber crime. 
Specifically, they should urge other nations to enact substantive and procedural laws 
implementing the provisions of the COE Convention on Cybercrime or provisions that are at 
least as comprehensive and that are consistent, wherever possible, with comparable provisions in 
U.S. law. United States officials should encourage other nations to adopt data preservation 
provisions, such as those set forth in the COE Convention, instead of data retention laws. They 
should also encourage countries to dedicate well-trained and well-equipped personnel to combat 
cyber crime and designate a 24-hour point of contact for urgent cross-border investigations. 
Agencies should also encourage better cooperation among nations for locating and identifying 
cyber-criminals, gathering evidence to bring them to justice, and for implementing procedures to 
more rapidly and effectively prevent and mitigate cyber attacks. 

2.3.3 Cyber Security Best Practices 

The LRTE recognizes that encouraging the private sector to improve cyber security is critical to 
developing a well-rounded, proactive, and preventative approach to deterring cyber crime. 
Private sector networks are vital to keeping the U.S. economy running smoothly. Companies 
should implement common best practices for computer security that include concrete 
ramifications for abuses rather than lenient consequences. The Government could encourage 
companies to implement cyber security best practices by considering the implementation of 
relevant best practices as a factor in the contracting process of Government information 
technology (IT) contracts. There are several ways companies can implement common best 
practices, such as keeping current with patches and anti-virus software, understanding 
perimeters/filters and firewalls, and scanning systems periodically. In addition, the NRIC and 
the National Institute for Standards and Technology (NIST) are developing sets of cyber security 
best practices that are available for consideration. With encouragement from the Government, 
companies could enhance their security practices, which can better secure Internet systems 
across the nation. 

2.3.4 Information Exchange 


The majority of the Nation’s critical infrastructures are owned and operated by the private sector. 
Therefore, it is important that the private sector share information about vulnerabilities in these 
systems with each other and with the Government. The recently enacted Homeland Security Act 
includes a provision that would protect voluntarily shared critical infrastructure information from 


^ The Council of Europe Website on the Convention on Cybercrime, http://www.coe.int/T/E/Lesal affairs/Lesal co- 
operation/Combatins economic crime/Cvhercrime/Convention/The Convention. asp#TopOfPase . 
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public disclosure under the Freedom of information Aet (FOIA).^ This provision aims to better 
proteet sensitive information from falling into the hands of those who would exploit 
infrastrueture vulnerabilities and help proteet eompanies from having sueh information used 
against them. This provision should also help eneourage the private seetor to share information 
about the Nation’s eritical infrastruetures. 

In addition to the FOIA modifieation, the Homeland Seeurity Aet eontains a provision that limits 
legal liability for sharing eritieal infrastrueture information. Seetion 214 states that shared 
eritieal infrastrueture information “shall not... be used direetly by sueh ageney, any other 
Federal, State, or loeal authority, or any third party, in any eivil aetion arising under Federal or 
State law if sueh information is submitted in good faith.” In addition, Seetion 861-865 eontains a 
provision that limits legal liability of eompanies that provide “qualified anti-terrorism 
teehnologies” to the Federal Government.^ While this provision does not speoifieally address 
potential liability issues when eompanies share vulnerability information with the Government, 
this proteetion is important for shielding anti-terrorism teehnology vendors. 

In Oetober 1997, the President’s Commission on Critieal Infrastrueture Proteetion (PCCIP) 
published a report that detailed the growing eapability to exploit information infrastruetures and 
underseored the need for establishing information-sharing struetures within the Government and 
the private seetor. Building on the eommission’s reeommendations, the White House issued 
Presidential Deeision Direetive (PDD) 63 in May 1998, whieh ealled for the ereation of publie- 
private partnerships to help eliminate vulnerabilities in eritieal infrastruetures. 

To advanee those efforts, the LRTF has examined potential barriers to voluntary information 
sharing related to NS/EP eommunieations, eritieal infrastrueture proteetion, or other similar 
subjects. Previous LRTF reports have identified an array of barriers, ineluding the potential 
damage to eompanies if their trade seerets and proprietary information are released; impediments 
that eompanies pereeive might arise from antitrust and unfair business praetiees; liability 
eoneems; and State government liability and diselosure eoneems.*^ Despite new provisions in the 
Homeland Seeurity Aet to eneourage the sharing of eritieal infrastrueture information, additional 
barriers to information sharing may still exist. For example, the LRTF notes that private 
eontraetual relationships in non-diselosure agreements (NDA) ean also hinder information 
sharing. The LRTF will eontinue to examine whether additional barriers to information sharing 
remain, espeeially with regard to liability and antitrust eoneerns. 

2.4 Suggestions for Industry and Government 


The LRTF also formulated a series of proaetive and preventative suggestions for the Government 
and industry to help deter eyber erime. Fundamental to that effort is making the eulture of 


^ The Homeland Security Act of 2002, Subtitle B, “Critical Infrastructure Information,” Section 214. 

^ The Homeland Security Act of 2002, Subtitle G, “Support Anti-terrorism by Fostering Effective Technologies Act of 2002,” 
Sections 861 through 865. 

^ Telecommunications Outage and Intrusion Information Sharing Report, NSTAC Legislative and Regulatory Group, June 1999, 
Section 4.0, “Potential Legal Barriers to Information Sharing,” p. 24. 
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computer hacking more unattractive to potential script kiddies and hackers. To that end, the 
LRTF suggests that industry and the Government support already existing initiatives to develop 
nationwide educational campaigns, such as Stay Safe Online (SSOL), to increase public 
awareness of the penalties and consequences for committing Internet attacks. 

Industry should also seek more contractual flexibility to report vulnerabilities and threats. The 
LRTF suggests that telecommunications and infrastructure providers enter into NBAs that set a 
fixed amount of time for mitigating network incidents and vulnerabilities. Such NBAs should 
permit vulnerabilities to be released to the proper authorities if an incident is not adequately 
addressed within the specific timeframe. The LRTF notes that the CERT® Coordination Center 
is currently studying a related issue. Further, the LRTF suggests that contracts between 
infrastructure operators and Internet service providers follow a structure that allows 
infrastructure providers to inform authorities about an attack or vulnerability if a certain 
percentage of their infrastructure is threatened. 
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3.0 CONCLUSIONS 


The LRTF concludes that sufficient legal authority exists in the United States to penalize those 
who commit cyber crimes and to act as a deterrent for those considering committing such acts. 

In addition, the LRTF recognizes that having sufficient legal penalties in place cannot 
completely stop cyber crimes altogether and that a more proactive and comprehensive approach 
to curbing cyber crime is necessary to protect the United States’ critical networks. While 
addressing broader issues may fall outside the LRTF’s scope for this tasking, the LRTF believes 
that providing additional recommendations, such as those included in this report, may encourage 
a well-rounded and proactive approach to preventing and responding to cyber crimes. 
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4.0 RECOMMENDATIONS 


NSTACRecommendations to the President 

The NSTAC recommends that the President, in accordance with responsibilities and 
existing mechanisms estahlished hy Executive Order 12472, Assignment of National 
Security and Emergency Preparedness Telecommunications Functions and other existing 
authority, direct the appropriate departments and agencies, in coordination with industry, 
to: 

• Increase prosecution of cyber erime at the State level; 

• Allot additional funds to the States to better train personnel in their jurisdictions on how 
to prosecute cyber erimes, respond to attacks, and address vulnerabilities; 

• Encourage Congress to ratify the COE Convention on Cybercrime, in conjunction with 
implementing legislation that provides, among other provisions, for reimbursement of 
reasonable costs incurred by communieations service providers responding to data 
preservation requests, and encourage other nations to adopt the Convention; 

• Work with international eounterparts and through multilateral bodies, such as the G-8, COE, 
EU, OAS, and APEC to: 

■ Urge other nations to enact substantive and proeedural laws implementing the 
provisions of the COE Convention on Cybercrime or provisions that are at least as 
comprehensive and that are consistent, wherever possible, with eomparable 
provisions in U.S. law; 

■ Encourage other nations to adopt data preservation provisions of the sort set forth in 
the COE Convention, instead of data retention laws, whieh require retention ex ante 
of data regarding all communications on a network; 

■ Encourage eountries to dedicate well-trained and well-equipped personnel to combat 
cyber erime and designate a 24-hour point of eontaet on such matters for urgent cross- 
border investigations; and 

■ Eneourage better cooperation among nations for locating and identifying eyber- 
eriminals, gathering evidence to bring them to justiee, and for implementing 
proeedures to more rapidly and effectively prevent and mitigate cyber attacks. 

• Encourage eompanies to implement eyber security best praetices by considering the 
implementation of relevant best practiees as a factor in the award of Government IT 
contracts. 
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FEDERAL CYBER CRIME LAWS 


Law 

USA PATRIOT Act Provisions 

Homeland Security Act 
Provisions 

18 U.S.C. § 1030, 

• Increase penalties for hackers who 

• Authorizes life sentences for 

“The Computer 

damage protected computers (a 

individuals who knowingly or 

Fraud aud Abuse 

maximum of 10 years for first offenders 

recklessly commit a computer crime 

Act.” 

and a maximum of 20 years for repeat 
offenders) 

that results in death 

• Authorizes 20-year sentences for 

Fraud aud Related 

• Clarify the mens rea required for such 

individuals who knowingly or 

Activity iu 

offenses to make explicit that a hacker 

recklessly commit a computer crime 

Couuectiou with 

need only intend damage, not a 

that results in serious bodily injury 

Computers 

particular type of damage 

• Directs the U.S. Sentencing 

Section 1030 includes 

• Add a new offense for damaging 

Commission to review and amend 

penalties for crimes 

computers used for national security or 

federal sentencing guidelines where 

such as creating 

criminal justice 

appropriate for computer crimes 

viruses and malicious 


involving fraud and access to 

attacks and creates 

• Expand the coverage of the statute to 

protected or restricted data 

penalties for someone 

include computers in foreign countries 


who knowingly 

so long as there is an effect on U.S. 

• Such guidelines would reflect the 

intends to cause 

interstate or foreign commerce 

need for a deterrent and would 

damage. 


require consideration of any resulting 


• Count state convictions as “prior 

losses and violations or disruptions of 


offenses” for purpose of recidivist 

privacy, national security, public 


sentencing enhancements 

• Allow losses to several computers 
from a hacker’s course of conduct to be 
aggregated for purposes of meeting the 
$5,000 jurisdictional threshold 

health or safety 

18 U.S.C. § 1029 

Using unauthorized access devices to 


Fraud aud Related 

obtain anything of value over $1,000 or 


Activity iu 

obtaining unauthorized access to 


Couuectiou with 

telecommunications services could 


Access Devices 

result in: 

• A fine and/or up to 15 years 
imprisonment 

• Second offenses can result in up to 20 
years imprisonment 


18 U.S.C. § 1361 

• If the damage or attempted damage to 
such property exceeds the sum of 


Peualties for 

$1,000, it may result in a fine and/or up 


injuring or 

to 10 years imprisonment 
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committing any 
depredation against 
Government 
property or 
contracts 

• If the damage or attempted damage to 
such property does not exceed the sum 
of $1,000, it may result in a fine and/or 
up to 1 year imprisonment 


Law 

USA PATRIOT Act Provisions 

Homeland Security Act 
Provisions 

18 U.S.C. § 1362 

Targets damage to or interference with 
property, or material of any radio. 


Communication 

telegraph, telephone or cable, line. 


Lines, Stations, or 

station, or system, or other means of 


Systems 

communication, operated or controlled 
by the United States Government, or 
used or intended to be used for military 
or civil defense functions of the United 
States 

• Includes no minimum monetary 
damage requirement 

• Penalties include a fine and/or up to 

10 years imprisonment 


18 U.S.C. §2511 

• Penalties include a fine and/or up to 5 

• Removes special penalty treatment 

Interception and 

years imprisonment 

for first time offenders who intercept 

Disclosure of Wire, 


a cellular phone call. Permits up to 5 

Oral, or Electronic 


years of jail time for first time 

Communications 

Prohibited 


offenders who intercept a cellular call 

18 U.S.C. § 2701 

If the offense is committed for purposes 

• Expands the list of disfavored 

Unlawful Access to 

of commercial advantage, malicious 

purposes to include unlawful access 

Stored 

destruction or damage, or private 

in furtherance of any criminal or 

Communications 

commercial gain, penalties include: 

tortious act that violated any law 


• First-time offenders may be fined or 

• 


subject to imprisonment for up to 1 year 

Raises the maximum criminal 

Intentional access 


penalties from 1 to 5 years of 

without authorization 

• Repeat offenders may be imprisoned 

imprisonment for first offenders and 

of a facility through 

for up to 2 years 

from 2 years to 10 years for repeat 

which an electronic 


offenders 

communication 

• If the unlawful access is not for any 


service is provided; or 

of the stated purposes, then the offender 

• 

intentionally exceeds 

may be fined or subject to 

Maximum penalties for other 

an authorization to 

imprisonment for up to 6 months 

violations are set at 1 year for first 

access that facility; 


offenders and 5 years for repeat 

and thereby obtains, 
alters, or prevents 
authorized access to a 


offenders 
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wire or electronic 
communication while 
it is in electronic 
storage. 
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